470 QoS Agent considers VLAN ID _before_ PVID is mapped to inbound pac

[KrisBoutilier]

I'm confused... the 470 doesn't support 802.1Q-in-Q (nested) VLAN tagging, so why do Layer 2 QoS filters seem to be processed before packets coming into a port are mapped into that ports PVID?

For example, I have edge ports that are configured 'Untag PVID', where the PVID is either 715 or 719 and they are also all members of 712. Ie. ports pass untagged traffic to/from either 715 or 719 and always pass tagged traffic to/from vlan 712. This is a basic Nortel IP Phone configuration (712 is the TLAN, 715 and 719 are different workgroups).

Traditionally VLAN 712 has had L2 QoS rules applied to it (Premium_Service) and everything else has been allowed to default. Now I'd like to apply a finer degree of control between 715 and 719 so I created filters for each, but no packets are ever 'hit' by the filters. If I create a L2 filter specifically to match packets without VLAN tags, the missing packets all show up there...

If, for testing, I reconfigure a port so that all traffic is tagged (ie. Tag All, Filter Untagged) then the packets happily hit on the correct L2 VLAN filters.

The switch is running FW:3.6.0.7 SW:v3.7.2.13 BN:00 ISVN:2 and the reference configuration is dumped below.

Any suggestions?

-------------------------

LAB#show qos l2-filters
Id  VLAN  VLAN Tag Ether     802.1p      DSCP  Protocol   Dest IP     Src IP
                   Type     Priority                      L4 Port     L4 Port
                                                         Min / Max   Min / Max
__ ______ ________ ______ _____________ ______ ________ ___________ ___________
1  Ignore Untagged Ignore Ignore        Ignore Ignore   Ignore      Ignore
                                                        Ignore      Ignore
2  715    Tagged   Ignore Ignore        Ignore Ignore   Ignore      Ignore
                                                        Ignore      Ignore
3  712    Tagged   Ignore Ignore        Ignore Ignore   Ignore      Ignore
                                                        Ignore      Ignore
4  719    Tagged   Ignore Ignore        Ignore Ignore   Ignore      Ignore
                                                        Ignore      Ignore


LAB#show qos l2-filter-sets
Layer2 Filter Sets

Id        Name       Acl Id Ace Id Ace Order
___ ________________ ______ ______ _________
1   Untagged_FGRP    1      1      1
2   Users_FGRP       2      2      1
3   TLAN_FGRP        3      3      1
4   INET_FGRP        4      4      1


LAB#show qos policies
Id        Name        State      Filter Set    Fltr        Role          Order
                                               Type     Combination
___ ________________ ________ ________________ ____ ____________________ _____
1   Untagged_L2POL   Enabled  Untagged_FGRP    L2   Edge_Ports           10
2   Users_L2POL      Enabled  Users_FGRP       L2   Edge_Ports           20
3   TLAN_L2POL       Enabled  TLAN_FGRP        L2   Edge_Ports           30
4   INET_L2POL       Enabled  INET_FGRP        L2   Edge_Ports           40

Id      Meter       In-Profile    Out-of-Profile     Shaper     Shaper  User
                      Action          Action                    Group   Group
                                                                       Session
___ ______________ ______________ ______________ ______________ ______ _______
1                  Standard_Servi                               0      0
2                  Standard_Servi                               0      0
3                  Standard_Servi                               0      0
4                  Standard_Servi                               0      0


LAB#show qos statistics
Id        Name          Packet    Overflow    Total      Total    InProfile
                         Hits      Packet     Octets    Overflow    Octets
                                    Hits                 Octets
___ ________________  __________ __________ __________ __________ __________
1   Untagged_L2POL    3683       0          806863     0          0
2   Users_L2POL       0          0          0          0          0
3   TLAN_L2POL        2668       0          171172     0          0
4   INET_L2POL        0          0          0          0          0

Id    Overflow  OutProfile  Overflow   Shaping    Overflow   Percent
     InProfile    Octets   OutProfile  Q Drops    Shaping   OutProfile
       Octets                Octets               Q Drops     Octets
___  __________ __________ __________ __________ __________ __________
1    0          0          0          0          0          0 %
2    0          0          0          0          0          0 %
3    0          0          0          0          0          0 %

 

[KrisBoutilier]

I think I've answered my own question thanks to some experimentation with a 5510. 'VLAN Tag' filters packets based on the on-the-wire 802.1q headers presence whereas 'VLAN' filters based on the actual VLAN the packets are mapped into, post-PVID. Thus in my case:

LAB#show qos l2-filters
Id  VLAN  VLAN Tag Ether     802.1p      DSCP  Protocol   Dest IP     Src IP
                   Type     Priority                      L4 Port     L4 Port
                                                         Min / Max   Min / Max
__ ______ ________ ______ _____________ ______ ________ ___________ ___________
1  715    Tagged   Ignore Ignore        Ignore Ignore   Ignore      Ignore
                                                        Ignore      Ignore
2  715    Untagged Ignore Ignore        Ignore Ignore   Ignore      Ignore
                                                        Ignore      Ignore
3  715    Ignore   Ignore Ignore        Ignore Ignore   Ignore      Ignore
                                                        Ignore      Ignore

Filter 1 matches nothing (715 is always untag PVID). Filter 2 matches all PVID traffic (again, because of the untag PVID), and Filter 3 also matches all traffic.

... which sort of explains why the 'VLAN Tag' parameter is tri-state - you might want to filter all PVIDed packets on a switch, without regard for the VLANs they're being mapped into.

Similarly, for my example of VLAN 712:

LAB#show qos l2-filters
Id  VLAN  VLAN Tag Ether     802.1p      DSCP  Protocol   Dest IP     Src IP
                   Type     Priority                      L4 Port     L4 Port
                                                         Min / Max   Min / Max
__ ______ ________ ______ _____________ ______ ________ ___________ ___________
1  719    Tagged   Ignore Ignore        Ignore Ignore   Ignore      Ignore
                                                        Ignore      Ignore
2  719    Untagged Ignore Ignore        Ignore Ignore   Ignore      Ignore
                                                        Ignore      Ignore
3  719    Ignore   Ignore Ignore        Ignore Ignore   Ignore      Ignore
                                                        Ignore      Ignore

Filter 1 matches everything (712 is always tagged) and Filter 3 also matches the same traffic. Filter 2 matches nothing (because 712 is never untagged on the wire).